- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-27-2016 09:18 AM
Hi guys,
I'm trying to block .exe files, but allow file names for some users.
For example, I would like to allow the GoToMeetingLauncher.exe for GoToMeeting webinars, but the links look like the below which means it can't be done.
https://live.paloaltonetworks.com/t5/Management-Articles/Can-Files-be-Blocked-by-Name/ta-p/54157
Anyone have an insight as to what they have done before, or what could be done?
Kind regards
Jack
06-27-2016 09:31 AM
Create custom URL category.
Add download.citrixonline.com into it.
Allow download of executables (for specific users) from that URL category.
06-28-2016 06:23 AM
Hi Raido,
Hmm, thanks for your response but this didn't work.
I have created the custom category and set it to Alert for the policy that applies to me but when I tri the download again this is still being blocked. It doesn’t seem to override the file block policy. Is there a different way of doing this?
Cheers
Jack
06-28-2016 06:31 AM
You have to have 2 seperate security policies and 2 seperate File Blocking profiles.
Top sec policy will allow download of executables and you have URL category attached to it.
06-29-2016 05:43 AM
Hi,
I can go to the website and download the launcher fine, it’s other websites that I can’t access anymore (because I set all other categories to Block). In my mind I’m expecting to hit the top policy for downloads only (hence blocking everything else) then hit the regular policy below for all other traffic.
06-29-2016 07:26 AM
Palo is a "top down ACL" so if you're using all the same parameters except just chaning a profile the rules below the one above should be shadowed and not hit.
When you committed did you get a "shadowed rule" warning message?
06-29-2016 08:01 AM - edited 06-29-2016 08:02 AM
Yeah so essentially, the match conditions are the same, so the traffic will hit the first rule that it applies to regardless of what file blocking profile you have.
Is there any workaround for this at all? Would it be possible to setup an Untrust to Trust policy from the web server of where you're downloading from, which then has an alternate file blocking profile to allow this specific traffic I'm trying to download an EXE of?
06-29-2016 08:09 AM
The work around is a roll-up or integration of all match conditions and desired accesses/restirctions for the desired user security group.
06-29-2016 08:35 AM
Could you decipher that please..
06-29-2016 09:57 AM
For the sake of arguement:
Rule 1
Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category --> Allow --> URL Profile A (Block Everything) / File Blocking Profile (Can transfer .pdfs only)
Rule 2
Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category --> Allow --> URL Profile A (Allow Everything) / File Blocking Profile (Can transfer .pdfs only)
Rule 1 will shadow rule 2 because it's the same base session match criteria. The application web-browsing will be allowed but the palo doesn't know which rule should "hit" WRT your URL match criteria.
Really the easiest way to do what you want is to do as Raido said.
1. Create a Custom URL category (Call it whatever "Meeting") --> Add the URL download.citrixonline.com
2. Create a File Blocking Profile ("EXE Allow") --> Allow exe files to download
3. Create Rule
Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> "Meeting" --> Allow --> NO URL PROFILE / File Blocking Profile "EXE Allow"
have this rule be above your "Security Group A" "Web-Browsing" rule. This above rule will only allow users access to the URL "download.citrixonline.com" and will allow them to download .exe files.
06-30-2016 03:33 AM
Hi Brandon,
Thanks for your reply.
Adding the download.citrix URL to the category alone didn't resolve the issue, however I believe I have fixed it. In the traffic logs, when accessing the GoToMeeting link I saw an IP address which then after an nslookup resolved to apiglobal.gotomeeting.com. I added this as well to the custom URL category which allowed me to use GoToMeeting and still block EXE files.
Thanks for your help
Jack
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!